Privacy Policy

Octopus Creative Inc.
Last updated: June 9, 2026

PRIVACY POLICY

Octopus Creative Inc. Last updated: June 9, 2026

Octopus Creative Inc. (“Octopus Creative,” “we,” “us,” or “our”) is committed to protecting the personal information of everyone who interacts with our website, services, and platform. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you visit crewrm.io, octopuscreative.ca, or use our services, including our AI Employees platform (CrewRM) and related offerings.

This policy is governed by the Personal Information Protection Act (British Columbia) (PIPA, SBC 2003, c. 63), the Personal Information Protection and Electronic Documents Act (PIPEDA, SC 2000, c. 5), Canada’s Anti-Spam Legislation (CASL, SC 2010, c. 23), and the BC Privacy Act (RSBC 1996, c. 373), as applicable. PIPEDA applies to personal information collected in the course of our commercial activities, including activities that cross provincial or national boundaries.

1. Who We Are

Octopus Creative Inc. is a digital technology and AI workforce company incorporated in British Columbia, Canada.

Mailing address: PO Box 627, Harrison Hot Springs, BC V0M 1K0, Canada

Privacy Officer contact: Use the contact form at crewrm.io/contact or call 1-866-205-8488.

2. What Personal Information We Collect

We collect personal information in the following categories:

(a) Contact and account information: name, email address, phone number, company name, and any other information you provide when completing a contact form, requesting a quote, creating a platform account, or signing up for our services.

(b) Usage and technical data: IP address, browser type, operating system, access timestamps, pages visited, click paths, and session duration. This data is collected automatically via server logs and cookies when you visit our websites.

(c) Payment and billing information: credit card details and pre-authorized debit (PAD) authorization data collected when you engage our services. Payment card data is processed by a PCI-DSS-compliant third-party payment processor. Octopus Creative does not store full payment card numbers on its own systems.

(d) Communications: records of email, telephone, or written communications between you and Octopus Creative.

(e) Marketing consent records: records of your consent to receive commercial electronic messages (CEMs) under CASL, including the date, method, and scope of consent, and the expiry of any implied consent period.

(f) Client platform data: if you are a CrewRM client or user, data that you or your organization input into the platform, including names and contact information of your clients, personnel, or business contacts. See Section 11 for how this data is handled.

3. How We Collect Personal Information

We collect personal information:

(a) Directly from you, when you complete a contact form, request a quote, make a purchase, create an account, or correspond with us.

(b) Automatically, through cookies, web beacons, and server logs when you use our website.

4. Why We Collect and Use Your Personal Information

We collect and use personal information for the following identified purposes, in accordance with PIPA s. 11 and PIPEDA Principle 4.4:

(a) To respond to your inquiries and provide the services you have requested.

(b) To process payments and manage billing.

(d) To send commercial electronic messages (CEMs) to which you have provided valid consent under CASL. You may withdraw consent at any time (see Section 13).

(e) To conduct statistical analysis and improve our services and offerings.

(f) To display interest-based advertising through third-party platforms, where you have not opted out (see Section 8).

(g) To comply with applicable legal obligations, enforce our agreements, or protect our legal rights and interests.

We do not collect personal information for purposes beyond those listed above without identifying those additional purposes and, where required, obtaining your consent.

5. Consent

We rely on your consent as the primary basis for collecting, using, and disclosing your personal information, in accordance with PIPA s. 6-8 and PIPEDA Principle 3.

For commercial electronic messages (CEMs), we distinguish between:

• Express consent: you have affirmatively opted in (for example, by checking a box or completing a sign-up form).

• Implied consent: an existing business relationship permits us to contact you under CASL. Implied consent is time-limited: 2 years from the date of a purchase or contract, or 6 months from an inquiry or application, as set out in CASL ss. 10(9)-10(10). We actively track consent expiry dates and will not send CEMs beyond the applicable consent period without seeking fresh consent.

You may withdraw consent for any non-essential uses of your personal information at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent may limit our ability to provide certain services.

6. Accuracy

We take reasonable steps to ensure that personal information we collect and use is accurate, complete, and up-to-date as required for the purposes for which it is used, in accordance with PIPA s. 25 and PIPEDA Principle 6. If you believe that personal information we hold about you is inaccurate or incomplete, please contact us using the methods in Section 13.

7. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. The types of cookies we use are:

(a) Essential cookies: necessary for the website to function correctly. These cannot be disabled without affecting site functionality.

(b) Analytics cookies: help us understand how visitors use our site, including which pages are visited and how long users remain. Data collected is aggregate and is not tied to personally identifiable information (e.g., Google Analytics).

(c) Advertising cookies: set by third-party platforms including Google Ads and Meta to serve interest-based advertisements. These may track your activity across different websites.

Non-essential cookies (analytics and advertising) are only placed on your device in accordance with applicable consent requirements. You may manage or withdraw cookie consent at any time through your browser settings or through the following opt-out tools:

• Google Ads Settings: adssettings.google.com

• Meta Ad Preferences: facebook.com/ads/preferences

• Digital Advertising Alliance of Canada: youradchoices.ca

See our full Cookie Policy at crewrm.io/cookie-policy for details.

8. Interest-Based Advertising and Third-Party Analytics

Our website uses Google Analytics, Google Ads (including remarketing where active), and Meta Pixel (collectively, “ad platforms”). These platforms may set cookies on your device and collect technical data about your visit.

Data collection by these ad platforms is subject to their own privacy policies:

• Google: policies.google.com/privacy

• Meta: facebook.com/privacy/policy

Octopus Creative does not control the data practices of these third parties beyond our own configuration of their tools. We use industry-standard de-identification techniques before sharing any aggregate data with internal teams or trusted partners.

9. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our standard retention periods are:

(a) Contact form submissions and general inquiries: up to 24 months from the date of the initial inquiry, unless you become a client or renew contact voluntarily.

(b) Client records (contracts, project files, correspondence): 7 years from the end of the engagement, to satisfy standard limitation periods and tax recordkeeping obligations under the BC Limitation Act and the Income Tax Act (Canada).

(d) Server logs and analytics data: up to 12 months on a rolling basis.

(e) CASL consent records: for the duration of the relationship and 3 years after the last CEM was sent, to demonstrate compliance under CASL s. 13.

When personal information is no longer required, we securely destroy, delete, or de-identify it.

10. Cross-Border Data Transfers

Octopus Creative uses third-party software and service providers whose servers may be located outside Canada, including in the United States. These providers may include:

• Payment processors and banking platforms

• Email and SMS messaging services (e.g., Twilio and similar providers)

• Cloud hosting and AI API providers (e.g., OpenRouter and similar services)

• Analytics and advertising platforms (Google, Meta)

• Project management and CRM tools

When personal information is transferred outside Canada, we require our vendors to maintain contractual protections through data processing agreements (DPAs) or equivalent arrangements. You should be aware that personal information transferred outside Canada may be subject to the laws of the receiving jurisdiction, including laws that may permit government access to personal information. By using our website or services, you acknowledge this possibility.

11. Client Platform Data and Data Processing Role

When clients upload or input third-party data (such as the personal information of their own customers or contacts) into the CrewRM platform, Octopus Creative acts as a data processor on behalf of that client, who is the data controller. The client is responsible for ensuring they have the legal authority to share that data with us and to have it processed on their behalf.

Processing of third-party data uploaded by clients is governed by our client agreement and data processing addendum, not solely by this policy. Octopus Creative’s AI Employee platform uses automated processing to generate recommendations and draft communications on behalf of clients. Final decisions affecting individuals are made by human operators. Octopus Creative does not use fully automated decision-making that produces legal or similarly significant effects on data subjects without human oversight.

12. Disclosure of Personal Information

We do not sell, rent, or trade your personal information. We may disclose personal information:

(a) To trusted service providers who assist us in delivering our services, under contractual obligations of confidentiality. We maintain a current list of active sub-processors and can provide it upon written request.

(b) To third-party analytics and advertising platforms as described in Sections 7 and 8.

(d) To protect the legal rights, safety, or property of Octopus Creative, our clients, or the public.

(e) In connection with a merger, acquisition, or sale of our business, provided the receiving party agrees to protect personal information in a manner at least as protective as this policy requires.

13. Your Rights

Under BC PIPA and PIPEDA, you have the following rights regarding your personal information:

(a) Access (PIPA s. 23; PIPEDA Principle 9): you may request a copy of the personal information we hold about you.

(b) Correction (PIPA s. 24; PIPEDA Principle 9): you may request that inaccurate or incomplete personal information be corrected.

(c) Withdrawal of consent: you may withdraw consent for any non-essential use of your personal information at any time, subject to legal or contractual restrictions.

(d) Deletion: you may request that personal information be deleted. We will delete personal information where no valid retention obligation under Section 9 or any applicable law applies.

(e) Unsubscribe from commercial electronic messages: you may opt out of CEMs at any time by clicking the unsubscribe link in any email we send, or by contacting us directly (CASL s. 11). Unsubscribe requests will be actioned within 10 business days, as required by CASL.

To exercise any of these rights, submit a request through our contact form at crewrm.io/contact or call 1-866-205-8488. We will acknowledge your request within 5 business days and will respond fully within 30 calendar days, as required by PIPA s. 36 and PIPEDA Principle 9.

14. Security

We use reasonable organizational, technical, and physical safeguards to protect personal information from unauthorized access, loss, misuse, or disclosure. Our security measures include:

• Encryption of data in transit using TLS (Transport Layer Security)

• Role-based access controls limiting data access to authorized personnel

• Encrypted storage of sensitive personal information

• Regular review of third-party vendor security practices

• Employee confidentiality training and awareness

Payment card data is processed exclusively by our PCI-DSS-compliant payment processor. Full payment card numbers are never stored on Octopus Creative’s own servers or systems.

No method of transmission over the internet is completely secure. To report a suspected privacy incident, please contact us immediately through crewrm.io/contact.

15. Breach Notification

In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm to you, we will:

(a) Notify the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible after determining that a breach has occurred, as required by PIPEDA and the Breach of Security Safeguards Regulations (SOR/2018-64).

(b) Notify the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) as required by PIPA s. 35.

(c) Notify you directly without unreasonable delay, providing a description of the breach, the information involved, and the steps we have taken or propose to take.

We maintain records of all breaches, whether or not notification was required, for a minimum of 24 months.

16. Children’s Privacy

Our services are not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has submitted personal information through our website, please contact us immediately through crewrm.io/contact and we will delete that information promptly.

17. Complaints

If you believe your privacy rights have been violated, we encourage you to contact our Privacy Officer first so we can attempt to resolve the issue directly. Submit a request through crewrm.io/contact. We aim to acknowledge complaints within 5 business days and to resolve them within 30 calendar days.

If you are not satisfied with our response, you may file a complaint with:

• Office of the Privacy Commissioner of Canada (OPC): priv.gc.ca | 1-800-282-1376

• Office of the Information and Privacy Commissioner for British Columbia (OIPC BC): oipc.bc.ca | 1-800-663-7867

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or our services. We will post the revised policy on this page with an updated “Last updated” date. Continued use of our website after changes are posted constitutes your acceptance of those changes for personal information collected after the effective date. For material changes that affect how previously collected personal information is used for new purposes, we will seek fresh consent as required by BC PIPA s. 8.

19. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of British Columbia and the laws of Canada applicable therein. Any disputes arising under or in connection with this policy shall be subject to the exclusive jurisdiction of the courts of British Columbia.

20. Contact

For any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal information, please contact:

Octopus Creative Inc. Privacy Officer
PO Box 627, Harrison Hot Springs, BC V0M 1K0, Canada
Phone: 1-866-205-8488
Contact form: crewrm.io/contact
Website: crewrm.io

The AI Operating System & Digital Workforce for SMBs.

Platform

The Workforce

Pricing

Why CrewRM

Industries

Trades & Services

Chambers & Associations

Cookie Policy